10.02.2026 - Over the past week, the NCSC has received an increasing number of reports about subscription bombing: A phenomenon that may look like massive spam at first glance, but is in fact a targeted distraction tactic used by cybercriminals.
Imagine receiving hundreds or even thousands of confirmation emails in the span of just a few minutes, for example for newsletter sign-ups from websites all over the world. The aim of this attack is not harassment. Instead, the email flood is used to conceal a single, critical message. In many cases, attackers have gained access to one of their victims' accounts, such as online banking or an online shop, and triggered a transaction. The security alert or confirmation email from the affected service is then buried in a flood of emails and goes unnoticed by the victim.
Why classic filters fall short
For administrators, subscription bombing poses a particular challenge. The emails originate from legitimate servers around the world, meaning that traditional blacklists and spam filters usually fail.
- Legitimacy via SPF, DKIM and DMARC
The attackers use real web forms from legitimate companies. As these companies have correctly configured their email servers using SPF (sender policy framework) and DKIM (domain keys identified mail), spam filters classify the messages as harmless. Aggressive filtering would also risk blocking legitimate system notifications.
- The backscatter problem
In some cases, the bombing is amplified by error messages (non-delivery reports) when attackers spoof the victim's email address as the sender. A strict DMARC policy (p=reject) for your own domain helps limit misuse of your identity – but cannot eliminate it entirely.
Email addresses don't belong in plain text
Easy access to target addresses is a key part of attack preparation. Email addresses are often collected through automated scraping of company websites.
- Avoid exposing email addresses on websites: Bots can automatically extract email addresses that appear in plain text.
- Protective measures: Use CAPTCHAs on contact forms to verify that a real person, rather than a bot, is submitting the request. Alternatively, obscure email addresses in the source code using JavaScript or obfuscation to make automated harvesting more difficult.
Recommendations in the event of a subscription bombing attack
If you are hit by a sudden flood of emails:
- Don't panic and delete everything. First, search specifically for keywords such as "password", "payment", "order" or "security" to find any hidden warnings.
- Check your most important accounts, such as online banking and credit cards, directly for any suspicious activity. If necessary, contact the relevant providers and change your passwords.
- Do not respond to spam emails.
Recommendations for website operators
Prevent your own website from being used as a tool for such attacks:
- Protect all web forms (e.g. newsletter sign-ups and contact forms) using mechanisms such as reCAPTCHA or hCAPTCHA.
- Limit the number of sign-ups or contact requests per IP address and time period.
- Require CAPTCHA verification before confirmation emails are sent.
Current statistics
Last week's reports by category:
Last modification 10.02.2026
